Description

This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise.

The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[ ] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later.

An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted PNG image. The malicious image may be hosted on a website, or sent as an email attachment.

Impact

A remote, unauthenticated attacker may be able to create a denial-of-service condition.

Solution

Upgrade
The libpng team has released a patch for libpng 1.0.25 and 1.2.17 to address this vulnerability. Administrators are encouraged to upgrade as soon as possible. Administrators who receive the libpng library from their operating system vendor should see the systems affected portion of this document for a list of affected vendors.